CMMC Assessment Evidence: What Counts, What Fails, and How to Build a Defensible Package
CMMC assessment evidence is final, in-scope information that supports a finding that each applicable assessment objective is satisfied — approved records, system configurations, logs, interviews, and observed behavior. Where an objective addresses implementation or operation, the evidence has to show more than written intent. Assessors gather it three ways — examine, interview, and test — and every applicable objective has to come back MET (or Not Applicable) for its parent requirement to pass. The evidence must be in final form, not draft (32 CFR §170.24). Level 1 has 59 assessment objectives; Level 2 has 320. No rule sets a universal artifact count — sufficiency is the assessor’s professional judgment. And here’s the part that changed the ground under everyone’s feet this week: as of July 13, 2026, new third-party assessment designations are paused — but your self-assessment evidence still matters, and below we’ll show you exactly why.
Let’s get you to certainty fast, then close every follow-up so you don’t have to search again.
The quick decision, before you scroll
| Your question | The short answer |
|---|---|
| What counts as evidence? | Final, in-scope information — records, configs, logs, interviews, observed behavior — that supports a finding on a specific assessment objective |
| Is a policy enough? | Only for the facts a policy establishes; implementation and operating objectives usually need technical, activity, personnel, or test evidence too |
| Can screenshots count? | Yes — for the point-in-time state they show. The risk is overstating what one snapshot proves about scope, population, or duration |
| Is there a fixed artifact count? | No. Sufficiency is the assessor’s judgment against each applicable objective and your scope |
| How long is evidence retained? | Six years from the CMMC Status Date (32 CFR §170.17(c)(4)) |
| When must evidence be hashed? | Only for C3PAO and DCMA DIBCAC assessments — never for self-assessments |
| What paths can currently be designated? | During the suspension, Level 1 (Self) and Level 2 (Self), where the applicable contract requires them |
Here’s the honest part, up front — our one caveat, and it’s the reason this page exists. There is no official, universal CMMC evidence checklist. No fixed screenshot quota. No blanket “evidence must be under 90 days old.” The controlling sources require findings at the objective level and let assessors choose the methods and objects that give them sufficient confidence (CMMC Assessment Guide – Level 2, which — like all the assessment guides — states that it does not have the force and effect of law). An exploratory February 2026 preprint based on 17 assessor responses reported that evidence-sampling practices vary with assessor judgment and perceived risk (Therrien & Hastings, arXiv, February 2026 — nonbinding and self-reported, but useful color). So anyone selling you a one-size-fits-all “compliance folder” is overselling.
That’s not bad news. It’s the whole game. A folder-dump loses; an objective-mappedpackage wins — and this page hands you the framework, the family-by-family map, and a free tool to build that package without uploading a single sensitive file. If your evidence is scattered across tickets, portals, screenshots, and people’s heads, you may be behind on proof, on security, or on both. The evidence map tells you which. All of it is fixable — but only once you separate an evidence gap from an implementation gap.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
What the July 13, 2026 CMMC Phase II suspension changes — and what it doesn’t
The suspension pauses new Level 2 (C3PAO) and Level 3 (DIBCAC) procurement designations; it does not pause your duty to safeguard federal data or your active self-assessment obligations. As of , the Department of War suspended the Phase II transition scheduled for November 10, 2026, and opened a 60-day review of the program (DoW release, July 13, 2026). Level 1 (Self) and Level 2 (Self) remain the permitted CMMC procurement designations, NIST SP 800-171 Revision 2 remains the baseline, and DFARS 252.204-7012 stays in force.
Why now? Capacity, mostly. DoW CIO Kirsten Davies told reporters on July 13, 2026 that more than 100,000 DIB businesses still needed a third-party assessment while roughly 100 assessors were available — dated, reported estimates, not a live Cyber AB Marketplace count, but the point lands: the math didn’t work for small and mid-sized firms to comply by the former November date (Breaking Defense, July 13, 2026). The Small Business Administration commended the move, and the Department’s July 13 release says recent data — including SBA reports — showed compliance burdens were pushing companies out of the DIB. The Department framed it as aligning CMMC with Secretary Hegseth’s Acquisition Transformation System: speed to capability, lower barriers for small business, cybersecurity without the paperwork tax.
What’s active right now
- Level 1 (Self) and Level 2 (Self) designations, where the applicable solicitation, contract, subcontract, or modification requires them
- Annual affirmation obligations where they apply
- NIST SP 800-171 Rev. 2 as the safeguarding standard
- DFARS 252.204-7012 (safeguarding covered defense information; 72-hour incident reporting where that clause applies)
- Select government-led assessments
- The November 10, 2026 Phase II transition
- New Level 2 (C3PAO) designations in solicitations
- New Level 3 (DIBCAC) designations in solicitations
What we can’t tell you— and won’t pretend to — is what the Department will adopt after its 60-day review. It could reinstate assessments, reshape them, or replace them. We won’t speculate. What we cansay is that stopping your evidence work now would be a mistake: you still self-assess, you still affirm under a senior official’s signature, and the underlying controls still have to be real. If the review brings assessments back in a leaner form, the contractors who kept their evidence mapped and current will move first.
One thing that did not change: the affirmation is a legal act. The Affirming Official attests that the organization has implemented — and will maintain — all applicable security requirements for its CMMC Status across the relevant scope, entered in SPRS after the applicable assessment and annually thereafter (32 CFR Part 170). That’s a representation to the government. A knowingly false or materially misleading cybersecurity representation tied to a claim for payment or award eligibility can create False Claims Act exposure — and the statute reaches not just actual knowledge but deliberate ignorance and reckless disregard (31 U.S.C. §3729). The suspension lowered the assessment burden. It did not lower the truth bar.
What counts as CMMC assessment evidence?
CMMC assessment evidence is any information — a document, a configuration, a log, a record, or an observed action — that supports a finding about a specific assessment objective inside your defined scope. It comes from four kinds of “assessment objects” — specifications, mechanisms, activities, and individuals — and it can be examined, discussed in an interview, or tested. Which combination applies depends on what gives the assessor (or you, in a self-assessment) sufficient confidence that the objective is met (NIST SP 800-171A; CMMC Assessment Guide – Level 2).
The four kinds of assessment objects
NIST SP 800-171A — the June 2018 companion publication that tells you howthe 800-171 requirements are assessed — sorts everything an assessor looks at into four object types:
- Specifications— the written artifacts: policies, procedures, System Security Plans (SSPs), standards, architecture and data-flow diagrams.
- Mechanisms— the technology doing the work: firewalls, identity providers, logging systems, encryption, endpoint protection.
- Activities — the things people and systems actually do: account reviews, backups, log reviews, incident exercises, vulnerability remediation.
- Individuals— the people who perform or manage a safeguard, including your external service providers’ staff.
Strong evidence usually touches more than one. A policy (specification) says what should happen; a configuration export (mechanism) shows the system enforcing it; an interview (individual) confirms the person understands the process; a demonstration (activity) shows it working. Line those up and the objective is easy to substantiate.
Examine, interview, and test are methods— not three mandatory artifacts
This trips people up constantly, so let’s be precise. Examine, interview, and test are the three assessment methods defined in NIST SP 800-171A:
- Examine— the assessor reviews the evidence object (reads the policy, inspects the config, reads the logs).
- Interview— the assessor talks to the people who run the control to understand how it actually works.
- Test— the assessor exercises the mechanism or activity and compares real behavior to expected behavior.
Here’s the nuance a lot of competing pages get wrong: the guide does not require all three methods for every objective. Assessors select the methods and objects needed for the particular objective (NIST SP 800-171A). The guide does note that most objectives will involve some testing — because testing is what separates “we wrote it down” from “it actually runs.” If a page tells you every one of the 320 objectives must be examined and interviewed and tested, be skeptical of it.
For a deep look at all 320 determination statements, family by family, see our companion explainer: NIST 800-171A Assessment Objectives: The 320 CMMC Checks. This page stays focused on the evidence package.
What a policy can prove — and what it can’t
A written, approved policy is real evidence. It just can’t carry the whole weight. A policy reliably establishes intent, scope, roles, required parameters, review cadence, and governance. On its own, it does notestablish that a setting is actually configured, that the rule is enforced across every in-scope user, that an activity happened, or that the control operates today. That gap — between “documented” and “implemented” — is where most evidence problems live.
What CMMC evidence is unacceptable, or commonly insufficient?
Drafts, working papers, and unofficial or unapproved policies cannot support a MET finding — the scoring rule says so directly. Plenty of other evidence is perfectly genuine and still falls short when it’s out of scope, stale for the fact it’s proving, incomplete across the relevant population, disconnected from the SSP, or contradicted by an interview or a live test (32 CFR §170.24).
Under the CMMC Scoring Methodology, a requirement is scored MET only when all applicable objectives are satisfied based on evidence, and — in the rule’s own words — all evidence must be in final form and not draft; working papers, drafts, and unofficial or unapproved policies are unacceptable (32 CFR §170.24). Note the precise scope of that rule: evidence relied on for MET must be final rather than draft, and an unofficial or unapproved policycan’t support MET. It does not slap an “approved” label on every technical log, configuration export, interview, or test result. Representative failure patterns:
- Draft or unapproved documentation.A draft SSP, a procedure nobody signed, a template with placeholders still in it, a vendor policy you downloaded but never adopted. Not final, not approved, can’t support MET.
- Generic product documentation used as proof of your implementation. A vendor datasheet shows what a product cando. It doesn’t show what you bought, what you enabled, how it’s configured, which assets it covers, or that it’s running in your scoped environment.
- Point-in-time proof presented as continuous operation.One MFA screenshot. One successful backup. One employee’s training certificate. One endpoint reporting to your EDR. These can help — the failure is overstating what a single snapshot proves about a whole population over time.
- Evidence from outside your assessment scope. A beautifully configured corporate laptop fleet proves nothing about a separate CUI enclave unless it actually supports the scoped implementation.
- Contradictions between the SSP, the people, and the live system. Your SSP says every privileged remote login requires multi-factor authentication (MFA). In the interview, the administrator mentions an exception. The live test confirms the exception is active. The polished policy does not rescue you — because an applicable objective genuinely isn’t satisfied, that requirement is NOT MET. (Illustrative scenario, not a specific case.)
Weak evidence vs. defensible evidence
Same objective, two very different outcomes. This is the difference between a package that survives scrutiny and one that generates findings:
| The objective | Weak presentation | Defensible presentation |
|---|---|---|
| Authorized users only | Policy says access is approved | Approved policy + current user population + authorization source + a demonstration that access is actually enforced |
| Audit log review | Screenshot showing logs exist | Log-source inventory + current logs + a documented review record + an alert-and-response record |
| Security awareness training | The training slide deck | Role-to-training mapping + assignment records + completion records + interviewed staff who can explain the process |
| Incident response | The signed IR plan | The plan + named responders + a tabletop/exercise record + after-action follow-up |
| System Security Plan | An SSP exists | A current SSP whose boundary, assets, data flows, providers, and implementation statements reconcile with the live evidence |
Notice the pattern: weak evidence asserts; defensible evidence demonstrates— across the population, in final form, consistent with what people say and systems do.
How much CMMC assessment evidence is enough?
There is no fixed artifact count that makes evidence “enough.” The test is whether your evidence establishes every applicable objective across your scope with sufficient confidence — while staying final, current for the fact it asserts, and consistent with interviews and live operation (CMMC Assessment Guide – Level 2). Assessors sample based on risk and complexity and exercise judgment on sufficiency, which is exactly why organized, retrievable evidence beats sheer volume.
Two words do a lot of work here, and they’re worth separating (our editorial framing, grounded in the guide’s language):
- Adequate — the evidence is relevant to the claimed implementation.
- Sufficient — there’s enough of it to support the conclusion across the applicable scope and circumstances.
Adequate isn’t automatically sufficient. And the reverse of the old myth is also true: one clean example can be all it takes, when that example is an authoritative, complete population export. Sometimes it isn’t. It depends.
The DCR Evidence Chain
Volume isn’t the metric. Coverage is. We use a six-link framework — the DCR Evidence Chain — to pressure-test any single piece of proof. It’s an editorial tool, not an official CMMC score or finding; a missing link is a signal to investigate, not a verdict.
| Evidence-chain link | The question you must answer | Failure signal |
|---|---|---|
| 1. Objective fit | Which exact determination statement does this proof support? | The file is mapped only to a broad family or requirement, not an objective |
| 2. Scope coverage | Does it cover the users, systems, locations, assets, and providers inside the boundary? | A clean example from one system hides an uncovered population |
| 3. Operational proof | Does it show the control implemented and operating — not just intended? | A policy exists, but settings, records, or behavior disagree |
| 4. Currency | Does it represent today’s environment or the operating period claimed? | Old system names, retired populations, superseded configs |
| 5. Final & approved | Is it final rather than draft — and, for policies, official rather than unapproved? | Draft watermark, an unapproved policy, a working paper |
| 6. Traceability & retrieval | Can the owner find it and explain it, with its context intact? | Broken links, mystery filenames, no owner, inaccessible repository |
When one example doesn’t prove the relevant population
If the objective covers “all authorized users,” one user’s record may not prove it. One endpoint may not prove every scoped endpoint. One approved change may not prove your normal change process. One month of logs may not prove your stated retention period. How deeply an assessor samples depends on the objective, the population, the environment, the quality of your evidence, and the assurance needed — and the controlling sources prescribe no universal sample size. The practical move: know which of your objectives are provable with one authoritative artifact and which need a population, and don’t guess.
And this is where the provider question starts to matter.The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
Build your evidence map, one objective at a time.
Don’t start with folders — start with objectives. Our CMMC Readiness Checklist walks all 14 control families and shows you, objective by objective, where your evidence stands — no uploads, no CUI, no sensitive data required.
→ Open the Readiness Checklist
Why 110 CMMC Level 2 requirements become 320 evidence decisions
CMMC Level 2 is scored at the 110-requirement level, but each requirement is broken into one or more NIST SP 800-171A determination statements — 320 in total. Every applicable objective must be satisfied for a requirement to be MET; one unmet applicable objective makes the whole requirement NOT MET (NIST SP 800-171A; 32 CFR §170.24). That’s why a tidy 110-row “implemented?” checklist can hide gaps — one checkbox may stand for several distinct facts that each need their own proof.
Take the first requirement, 3.1.1. It sounds like one thing: limit system access to authorized users, processes, and devices. NIST SP 800-171A breaks it into sixdetermination statements — identify authorized users; identify processes acting on their behalf; identify authorized devices and systems; then verify that access is limited to each of those three categories. You could have five nailed and miss the sixth, and the whole requirement comes back NOT MET.
Here’s the verified structure. CMMC Level 2 maps to NIST SP 800-171 Revision 2: 110 security requirements, organized into 14 control families, expanded into 320 assessment objectives (NIST SP 800-171A). (Level 1 is smaller: 15 basic safeguarding requirements from FAR 52.204-21 and 59 assessment objectives. The mapping table in 32 CFR §170.15 shows 17 rows because one FAR safeguard is split into three phrases for assessment mapping — those rows are not 17 separate “controls.”)
Where the 320 objectives actually sit
| Family | Rev. 2 requirements | Determination statements | Share of 320 |
|---|---|---|---|
| Access Control | 22 | 70 | 21.9% |
| Configuration Management | 9 | 44 | 13.8% |
| System & Communications Protection | 16 | 41 | 12.8% |
| Audit & Accountability | 9 | 29 | 9.1% |
| Identification & Authentication | 11 | 25 | 7.8% |
| System & Information Integrity | 7 | 20 | 6.3% |
| Physical Protection | 6 | 16 | 5.0% |
| Media Protection | 9 | 15 | 4.7% |
| Incident Response | 3 | 14 | 4.4% |
| Security Assessment | 4 | 14 | 4.4% |
| Maintenance | 6 | 10 | 3.1% |
| Awareness & Training | 3 | 9 | 2.8% |
| Risk Assessment | 3 | 9 | 2.8% |
| Personnel Security | 2 | 4 | 1.3% |
| Total | 110 | 320 | 100% |
Five families — Access Control, Configuration Management, System & Communications Protection, Audit & Accountability, and Identification & Authentication — carry 209 of the 320 determination statements (65.3%). Again: that’s where the guide decomposes most finely, and therefore where your evidence-mapping effort concentrates. It is not a prediction of where you’ll fail.
One version note, because getting it wrong is expensive: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. NIST superseded Revision 2 with Revision 3 in May 2024, but CMMC stays tied to Revision 2 because 32 CFR §§170.2 and 170.14 expressly incorporate Revision 2 and the June 2018 SP 800-171A procedures. Revision 3 will not control a CMMC assessment unless DoD changes the governing rule. Prepare your evidence against Rev. 2.
What evidence should you collect for each CMMC control family?
Each of the 14 NIST SP 800-171 Rev. 2 families needs a different mix of governance, technical configuration, completed activity, responsible people, and testing. The matrix below is a DCR editorial starting point for evidence planning — it is not an official prescribed artifact list, and it does not, by itself, prove any requirement is MET. Use it to see the pattern for each family, then map the exact objectives in your scope.
| Family (Rev. 2 requirements) | Representative evidence focus | Representative objective evidence | Common evidence-risk example — DCR editorial |
|---|---|---|---|
| Access Control (22) | Account authorization, roles, least privilege, remote access, session control | Approved access policy, user-to-role authorization list, remote-access (VPN) config, session lock/timeout, access-enforcement records | Access list doesn’t match reality; least privilege can’t be demonstrated across the scoped population |
| Awareness & Training (3) | Role-based training coverage | Training policy, role-to-training matrix, completion records with dates and names, insider-threat materials | Undated or incomplete records; generic annual training with no role-based coverage |
| Audit & Accountability (9) | Logging coverage, review, protection, time sync | Logging policy, log-source inventory, sample logs of required events, review records, time-sync config, alerting | Logs exist, but review, coverage, retention, or protection can’t be demonstrated |
| Configuration Management (9) | Baselines, change control, least functionality | CM policy, approved baselines, change tickets, approved-software list, port/service restrictions | The documented baseline doesn’t match the live configuration |
| Identification & Authentication (11) | Unique IDs, MFA (incl. IA.L2-3.5.3), credential protection | Identity policy, IdP settings, account populations, MFA enforcement config, authentication logs | MFA “enabled” but not enforced for privileged, remote, device, or service identities |
| Incident Response (3) | Plan, testing, reporting readiness | IR plan, tabletop/exercise records, incident tracking log, DFARS 252.204-7012 72-hour reporting procedure (where that clause applies), contact list | A polished plan that’s never been exercised, or that doesn’t match real escalation behavior |
| Maintenance (6) | Controlled and remote maintenance | Maintenance policy, maintenance logs, remote-session records, sanitization-before-maintenance evidence | Third-party maintenance activity isn’t inventoried, authorized, or logged |
| Media Protection (9) | Encryption, marking, transport, sanitization | Media policy, encryption settings, removable-media controls, transport logs, sanitization certificates | Removable media, backups, or multifunction-device storage omitted from scope; no sanitization records |
| Personnel Security (2) | Screening and access removal | Screening records, termination/transfer procedures, disabled-account and badge-return records | HR and IT records don’t prove timely access removal on termination |
| Physical Protection (6) | Facility access, visitors, monitoring | Physical-access policy, badge and visitor logs, access reviews, facility diagram, alternate-site (home office) controls | Evidence covers HQ but omits shops, warehouses, or home offices in scope |
| Risk Assessment (3) | Assessment, scanning, remediation | Risk-assessment policy and completed assessment, vulnerability-scan reports, remediation tracking | Scans run, but scope, review, or remediation is unproven |
| Security Assessment (4) | SSP, plans of action, continuous monitoring | Current approved SSP, operational plan of action with deficiency reviews and progress, control-assessment records | SSP is stale, aspirational, or disconnected from the evidence; the plan of action shows no progress; drafts submitted |
| System & Communications Protection (16) | Boundary protection, encryption, segmentation | Firewall/VPN configs, evidence that cryptography protecting CUI confidentiality meets the applicable FIPS-validation requirement, a network diagram that matches reality, enclave boundary | The diagram doesn’t match the live architecture; the boundary is broader than documented |
| System & Information Integrity (7) | Flaw remediation, malware protection, monitoring | Patch/remediation reports, EDR/AV status and update logs, monitoring/alert config, alert-handling records | Tools installed, but coverage, currency, or response and closure can’t be demonstrated |
Start with the boundary, not the folder tree.Before you gather a single artifact, nail down scope: your CUI data flow, whether you handle FCI or CUI, which systems and locations are in scope, which people and roles, your external service providers and cloud services, your Security Protection Assets and Contractor Risk Managed Assets, and the SSP boundary. Evidence has to trace to and substantiate the implementation, assets, people, locations, and provider responsibilities inside that scope. (An artifact can be generated or stored elsewhere if that handling is authorized and its connection to the scoped implementation is clear — the point is traceability, not the physical location of the file.)
Get the full 14-family evidence matrix — free, no email wall.
Our CMMC Readiness Checklist includes the complete family evidence map, organized by control family, with evidence-index fields you can hand straight to your team.
→ Open the CMMC Readiness Checklist
Do policies, screenshots, logs, interviews, and demonstrations all count?
Each of these can be valid CMMC assessment evidence when it’s relevant to the objective and inside scope — but none is automatically sufficient just because it exists. Documents show approved intent and process, technical artifacts show system state, records show activity over time, interviews clarify how a control really runs, and tests show actual behavior. The strongest package uses whatever combination of methods and objects it takes to substantiate the objective with sufficient confidence (NIST SP 800-171A; CMMC Assessment Guide – Level 2).
| Evidence type | Strongest at proving | What it cannot prove alone | Event that should trigger re-verification |
|---|---|---|---|
| Approved policy | Governance, scope, rules, roles | That the control operates | Policy revision; boundary or ownership change |
| Procedure | The defined process and responsibilities | That it was actually followed | Process change; new tooling |
| SSP | The boundary and implementation narrative | That reality matches the narrative | Any material scope, asset, or provider change |
| Screenshot | A point-in-time state | Scope, population, or duration | Config change; new systems added |
| Configuration export | Detailed technical state | The full population or history | Major configuration change; migration |
| Log | A recorded event or activity | Source, scope, integrity, interpretation on its own | Logging or retention change |
| Ticket | A completed workflow and its owner | The normal population from one instance | Process or owner change |
| Training report | Assigned and completed training | Understanding or role fit | New hires; role changes; annual cycle |
| Interview | Knowledge and how the process runs | Anything a record or system contradicts | Personnel or process change |
| Live demonstration | Actual behavior under stated conditions | Coverage of all in-scope assets | Environment change |
| Vendor documentation | Product capability, shared responsibilities | Your actual deployment | New provider; contract or service change |
| Customer responsibility matrix | The split between you and your provider | That it reconciles with the SSP and real config | Provider or service change |
What happens when your evidence disagrees with itself
This is the make-or-break moment in a lot of assessments, so be clear-eyed. When examine, interview, and test point in different directions, you don’t get to pick the flattering one:
- A signed policy does not overrule a contradictory configuration.
- A working system does not cure a missing governance fact when the objective requires that thing to be defined or documented.
- An interview cannot turn an unimplemented safeguard into a MET control.
- A screenshot cannot prove a process ran consistently over an extended period.
If the contradiction means an applicable objective genuinely isn’t satisfied, the requirement is NOT MET, and the assessor documents why (32 CFR §170.24). If it’s a reconcilable discrepancy — a stale reference, a naming mismatch, a typo — reconcile and document it before assessment day, not during. Do the reconciliation first, so nothing surprises you in the room.
For a domain-by-domain breakdown of what assessors may ask, and how to prepare each interviewee to explain and demonstrate your evidence, see our companion guide: CMMC Assessment Interview Questions by Domain.
How current does CMMC evidence need to be?
Neither 32 CFR Part 170 nor the official CMMC Assessment Guides set one universal freshness period for every artifact — no blanket 30, 60, or 90 days. But contract-specific requirements, your own procedures, a control’s stated cadence, or the fact being proven can still impose a timing requirement. Evidence should be current enough to substantiate the present implementation or the operating period you’re claiming (32 CFR §170.24; CMMC Assessment Guide – Level 2). The right question isn’t “how old is this file?” It’s “does this still prove the objective for the environment being assessed?”
- More static evidence— approved policies, facility diagrams, system architecture, SSP sections, role definitions — doesn’t expire under one universal CMMC clock, but it still has to stay accurate and follow every applicable review cadence.
- More dynamic evidence— account populations, patch status, access reviews, log reviews, vulnerability scans, training completions, incident activity, backup/recovery records — needs to reflect the period and cadence relevant to the claim. A single stale scan doesn’t prove an ongoing vulnerability-management program.
Refresh your evidence after any of these events:
- A material SSP or boundary change
- A new cloud or external service provider
- An identity-provider migration
- An acquisition or divestiture
- A new facility or remote-work model
- A major configuration change
- A new CUI flow
- A significant incident
- A leadership or process-owner change
- A policy revision
- An assessment or affirmation
- An update to the rule, clause, guide, or assessment process
Self-assessment vs. C3PAO vs. DIBCAC: how evidence handling differs
For a given level, self-assessment and third-party assessment use the same requirements and the same objectives — a Level 2 (Self) and a Level 2 (C3PAO) both run against the 110 Revision 2 requirements and the 320 Level 2 objectives. What changes is who performs the assessment, the independence requirement, the reporting path, and how artifacts are handled. During the current suspension, new procurement designations are limited to Level 1 (Self) and Level 2 (Self); the C3PAO and DIBCAC rows below describe codified pathways whose new designations are presently paused (DoW release, July 13, 2026).
| Path | Current designation status | Who assesses | Where the result goes | Artifact retention | Hashing required? |
|---|---|---|---|---|---|
| Level 1 (Self) | Active | Your organization; affirmed by a senior official | SPRS | Six years | No |
| Level 2 (Self) | Active | Your organization; affirmed by a senior official | SPRS | Six years | No |
| Level 2 (C3PAO) | Codified; new designations paused | An authorized or accredited C3PAO (Certified Third-Party Assessment Organization) | CMMC eMASS, then SPRS | Six years | Yes |
| Level 3 (DIBCAC) | Codified; new designations paused | DCMA DIBCAC | CMMC eMASS, then SPRS | Six years | Yes |
A self-assessment is not the easy version.Same 110 requirements, same 320 objectives, same scoring methodology as a Level 2 (C3PAO) — the criterion doesn’t get weaker because you’re grading your own work (32 CFR §§170.16, 170.17). What’s weaker, frankly, is the safety net: nobody independent is going to catch the gap before you affirm.
There’s a second axis people constantly blur, so separate it cleanly. CMMC Levels (1, 2, 3) are one thing. The NIST SP 800-171 DoD Assessment confidence levels — Basic, Medium, and High — are a different thing, tied to the DFARS assessment clauses and how much independent verification backs your score. Under DoD Class Deviation 2026-O0025 (effective February 1, 2026), the NIST SP 800-171 government-assessment clause is DFARS 252.240-7997 (Medium and High government assessments), while codified DFARS still displays 252.204-7019 and 252.204-7020, and 252.204-7021 remains the CMMC clause. Read the actual solicitation or contract and its applicable deviation rather than assuming one clause set applies everywhere.
For a detailed comparison of Level 2 self-assessment vs C3PAO decision factors, see our guide: CMMC Level 2 Self-Assessment vs. C3PAO.
How long must CMMC evidence be retained, and when must it be hashed?
Assessment artifacts must be retained for six years from the CMMC Status Date, and self-assessments do not require artifact hashing — hashing applies only to the codified C3PAO and DCMA DIBCAC paths, using a NIST-approved algorithm (SHA-256) to prove the evidence wasn’t altered (32 CFR §170.17(c)(4); DoD CIO CMMC Artifact Hashing Tool User Guide, v2.14, September 2025). Hashing is an integrity control, not a confidentiality one — it detects change; it does not hide or protect your data.
Six-year retention
Retention runs six years from the CMMC Status Date under 32 CFR §170.17(c)(4) — not six years from when you created the file. Each assessment path carries a parallel six-year retention provision (§§170.15–170.18). A common, expensive mistake is destroying evidence at the three-year mark on the assumption that retention matches the triennial cycle. It doesn’t. Keep the exact version you relied on, for six years.
Hashing is not encryption
Say it out loud to anyone on your team who’s fuzzy on this: hashing tells you whether an artifact changed. It does nothide the artifact, control who can open it, or satisfy your obligation to protect CUI or proprietary information (DoD CIO CMMC Artifact Hashing Tool User Guide, v2.14). Confidentiality is a separate job — access control and encryption. Don’t let “we hashed it” stand in for “we protected it.”
How hashing actually works, in practice
For a C3PAO or DIBCAC assessment (DoD CIO CMMC Artifact Hashing Tool User Guide, v2.14):
- The official PowerShell tool hashes each assessment artifact with SHA-256, generates a list of artifact filenames and their hashes, then produces a hash of that list (the integrity hash).
- Because the artifacts stay with you, file handling matters: some systems — SharePoint is the classic example — alter file metadata when files are uploaded or moved, which can change the hash values. Storing the artifact set in a zipis the guide’s recommended practice to preserve integrity.
- The proprietary artifact filesnever leave your control — the assessment team does not take or retain your artifacts offsite. What you provide the C3PAO for eMASS is the list of artifact names, the hash return values, and the hashing algorithm (32 CFR §170.17(c)(4)). At the end of the assessment, you and the assessor each hold the artifact-name list, the individual hashes, the hash of the list, and a zip of those records; the C3PAO or DIBCAC enters the integrity hash into eMASS.
Does eMASS store your evidence files? No — but metadata is submitted.
Your full proprietary evidence repository is not uploaded anywhere. For the Level 2 (C3PAO) and Level 3 (DIBCAC) paths, 32 CFR §170.17(c)(4) requires submitting to CMMC eMASS the artifact names, the hash return values, and the hashing algorithm — not the artifacts themselves. Self-assessment results and affirmations are entered in SPRS. Your evidence stays in your access-controlled storage for six years — which is the point: it keeps sensitive material out of a system you don’t control while still letting DIBCAC re-run the hashes years later and confirm nothing changed.
One caution: don’t pre-hash a working repository that’s still changing and treat it as final. Keep four things distinct — your working evidence, the final assessment evidence set, the hash manifest, and the protected archival copy.
How should CMMC assessment evidence be stored and organized?
Organize evidence around an objective-level index — not one folder per requirement — and store it in an access-controlled repository appropriate to what it contains. Because assessment evidence can expose CUI, credentials, configurations, vulnerabilities, and proprietary architecture, “wherever it’s convenient” is not an acceptable storage standard. The index points to the protected evidence; it should never become a second, uncontrolled copy of your sensitive files.
The evidence index: the fields that matter
Build a simple index (a spreadsheet is fine to start) that connects each objective to its proof. At minimum, capture: requirement ID, objective ID, objective text, SSP section, scope segment or asset population, evidence-object name and type, the likely method (examine/interview/test), the evidence owner, the interview owner, version or approval date, the period represented, repository location, sensitivity (does it contain CUI or Security Protection Data?), retention start and end dates, hashing applicability, status, refresh trigger, and any related plan-of-action or provider-responsibility note.
Use many-to-many mapping — stop duplicating files
One artifact often supports several objectives; one objective often needs several artifacts. If you copy the same file into a dozen control folders, you’ll lose track of the authoritative version and end up hashing the wrong one. Model it as a relationship: an objective table, an artifact table, and a mapping between them. Point to one authoritative copy.
Repository criteria to evaluate
Judge any repository — GRC platform, secure file share, enclave — on access control, least privilege, MFA, encryption, logging, version history, retention and legal hold, backup and recovery, exportability, its relationship to your CUI scope, provider responsibilities, and whether you can keep the index separate from the sensitive artifacts. And a real risk worth stating plainly: a tool that processes, stores, or transmits CUI — or provides security protection for in-scope assets — can itself become part of your CMMC scope or your External Service Provider analysis. Don’t place CUI in a tool unless its use is authorized for that information and the tool is addressed in your scope, contractual, technical, and provider-responsibility analysis.
Never submit CUI, credentials, system configurations, network diagrams, vulnerability details, drawings, or sensitive contract information through The Defense Compliance Report’s tools or provider-matching forms.
What to verify before you sign a CMMC self-assessment or annual affirmation
Before you rely on a self-assessment or affirmation, confirm that your scope, SSP, objective findings, score, final evidence, provider responsibilities, plan-of-action treatment, and retained artifact set all tell the same current story. A complete folder is not enough when the underlying control is absent, the scope is wrong, or the evidence doesn’t support the statement being affirmed. This matters more than ever right now: the suspension didn’t touch self-assessments, and the Affirming Official is still standing behind the organization’s implementation.
Run this before anyone signs:
- Confirm the applicable contract clauses with your contracting officer (especially given the July 2026 changes to solicitations and contracts).
- Confirm whether you handle FCI or CUI.
- Confirm the assessment boundary.
- Reconcile the SSP, asset inventory, network diagram, and CUI data flow with each other.
- Confirm every applicable objective has a documented basis.
- Confirm every relied-upon artifact is final, not draft.
- Reconcile documents against interviews and demonstrations.
- Confirm external-provider and shared-responsibility evidence.
- Recalculate the score from the current implementation.
- Confirm whether your situation permits a plan of action (see the distinction below), and treat it accordingly.
- Preserve the assessment artifact set and record retention dates.
- Confirm the Affirming Official has a defensible factual basis to sign.
- Confirm the correct result is posted in SPRS.
- Write down any unresolved legal or contractual interpretation questions.
- Get qualified advice — this page is research, not an official determination.
One distinction worth pinning down before step 10: don’t blur an operational plan of action (the CA.L2-3.12.2 kind, addressed in scoring at 32 CFR §170.24(b)(1)(ii)) with a Conditional CMMC POA&M governed by §170.21. The Conditional-status POA&M has its own eligibility restrictions and a 180-day closeout requirement. They are not the same instrument, and treating them as interchangeable is how a “conditional” status quietly becomes a failed one.
Before anyone affirms, run the checklist.
A missed objective or a stale SSP is a lot cheaper to catch this week than after you’ve signed. Our CMMC Readiness Checklist walks the 14 families and the pre-affirmation steps so nothing gets rubber-stamped.
→ Open the Readiness Checklist
When do you need an RPO, MSSP, GRC platform, CUI enclave, C3PAO, or attorney?
Choose the provider category based on the problem you can’t solve internally — not on whoever emailed you first. Readiness and interpretation point to an RPO/RP; operating security capabilities points to an MSSP; organizing evidence points to a GRC platform; shrinking CUI scope points to an enclave; a formal certification assessment points to a C3PAO; and contract interpretation points to a federal-contracts attorney. Keep readiness help and formal assessment appropriately separate — the same team can’t prepare you and then independently assess you within the prohibited window.
| Your unresolved problem | Category to evaluate | What it should do | What it is not |
|---|---|---|---|
| Scope, objective interpretation, SSP, readiness plan | RPO/RP (Registered Provider Organization / Registered Practitioner) or qualified readiness consultant | Translate requirements into implementation and evidence work | The independent assessor |
| Controls aren’t consistently operated | MSSP (Managed Security Service Provider) / CMMC-focused MSP | Operate, monitor, and document the safeguards | Automatic proof every objective is MET |
| Evidence is fragmented and hard to govern | GRC platform | Manage mappings, ownership, versions, tasks, exports | A substitute for implementation |
| A broad environment makes CUI scope impractical | CUI enclave / secure collaboration | Reduce or restructure where CUI is processed, stored, transmitted | A universal answer for every workflow |
| A formal independent assessment applies to you | C3PAO | Conduct the Level 2 certification assessment when a contract lawfully requires that pathway | The consultant who prepared you within the prohibited period |
| Contract clause, flow-down, dispute, or legal applicability | Qualified federal-contracts attorney | Interpret contractual duties and legal exposure | A technical implementation provider |
On assessor independence — the exact rule, not a paraphrase: CMMC Ecosystem members are prohibited from participating in the Level 2 certification assessment of an organization they served as a consultant to prepare for any CMMC assessment within the preceding three years (32 CFR §170.8). That’s a specific, bounded restriction. Don’t let anyone stretch it into “no affiliated business relationship, ever,” and don’t let anyone wave it away, either. Confirm current conflict and eligibility status before you retain an assessment organization.
Not sure which category you need? Get matched — free, and category-first.
Tell us your required level, your FCI/CUI scope, your assessment path, your environment, and your timeline, and The Defense Compliance Report’s Find My CMMC Path tool maps you to the right provider category— not a sales pitch. It routes to a category, not a named provider, and it isn’t a score, ranking, or compliance advice. Do not submit CUI, drawings, credentials, configurations, or sensitive contract details.
→ Find My CMMC Path
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
What we actually verified — and how
We separate three kinds of claims on this page, because they take three kinds of proof. Regulatory facts are cited to the controlling authority. Current-status facts carry a verification date. Editorial frameworks are labeled as ours and kept consistent with the verified facts. Here’s the paper trail. Spot something wrong? Tell us — we correct errors on the record.
What 32 CFR requires(the binding rule): the three assessment findings and the “final form, not draft” evidence standard (§170.24); six-year artifact retention and the eMASS submission of artifact names, hash values, and algorithm for the C3PAO path (§170.17(c)(4), with parallel provisions at §§170.15–170.18); the assessor-independence restriction (§170.8); and the incorporation of NIST SP 800-171 Revision 2 and the June 2018 SP 800-171A procedures (§§170.2, 170.14). We read these on the eCFR.
What the current program status provides (verified ): the Department of War’s July 13 announcement suspending CMMC Phase II and its implementing direction, corroborated by Federal News Network, Breaking Defense, Washington Technology, and National Defense Magazine, plus the SBA’s statement. DFARS 252.204-7012 remains in effect.
What the official guidance explains(clarifying, but not itself law — the guides say so): the three methods, four objects, and 320 Level 2 objectives (NIST SP 800-171A; CMMC Assessment Guide – Level 2); and the hashing workflow (DoD CIO CMMC Artifact Hashing Tool User Guide, v2.14, September 2025).
What is DCR editorial analysis or judgment(defensible, and consistent with the verified facts above): the per-family distribution of the 320 determination statements (our count from the CMMC Assessment Guide – Level 2 — a determination-statement concentration measure, not a risk or enforcement ranking), the DCR Evidence Chain, the family evidence-focus and evidence-risk columns, the event-based refresh triggers, the evidence-index design, and the provider-category fit guidance.
Where we relied on secondary contextrather than a primary source: the assessor-sampling observation (an exploratory February 2026 preprint, 17 responses) and the capacity figures in the Department’s remarks (dated reported estimates, not a live Cyber AB Marketplace count).
CMMC assessment evidence FAQ
These answers resolve the questions most likely to send you back to search, each bounded by the current rule and the July 2026 procurement posture.
- What is CMMC assessment evidence?
- It’s final, in-scope information — records, configurations, logs, interviews, and observed behavior — that supports a finding that a specific assessment objective is satisfied, under 32 CFR Part 170. It comes from four object types (specifications, mechanisms, activities, individuals) and is examined, interviewed, or tested.
- Is there an official CMMC evidence checklist?
- No. There’s no single official artifact checklist, fixed screenshot quota, or universal freshness window. The controlling sources require findings at the objective level and let assessors select the methods and objects that give sufficient confidence (CMMC Assessment Guide – Level 2).
- Is a signed policy enough for CMMC?
- Only for the facts a policy actually establishes — intent, scope, roles, parameters. Implementation and operating objectives normally need corresponding technical, activity, personnel, or test evidence. A policy alone doesn’t prove a control runs.
- Can screenshots count as CMMC evidence?
- Yes, for what a screenshot genuinely shows: a point-in-time state. The risk is overstating it. A snapshot may not prove scope, population, or operation over time — corroborate it with configs, records, or a live test where the objective needs it.
- Do I need evidence for all 320 assessment objectives?
- For a Level 2 assessment, every applicable objective needs a documented basis, and each must be MET or Not Applicable for its requirement to be MET (32 CFR §170.24).
- Does every objective require examine, interview, and test?
- No. Those are potential methods, and NIST SP 800-171A does not require all three for every objective — assessors select what’s needed for sufficient confidence. The guide does note that most objectives will involve some testing.
- How many evidence artifacts do I need per objective?
- There’s no prescribed count. Enough to establish the objective across your scope with sufficient confidence, in final form, consistent with interviews and live operation. One authoritative artifact is sometimes enough; sometimes you need a population. It depends on the objective.
- Can one artifact support more than one objective?
- Yes — and many do. Map it as a many-to-many relationship rather than copying the file into multiple folders, so you preserve one authoritative version.
- How recent must CMMC evidence be?
- No universal CMMC clock sets one freshness period, but a contract, your procedures, or the control’s cadence can. Static artifacts (policies, diagrams) must stay accurate and follow their review cadence; dynamic evidence (scans, reviews, logs, training) needs to reflect the relevant operating period (32 CFR §170.24).
- What happens when the policy and the live system disagree?
- If the contradiction means an applicable objective isn’t satisfied, the requirement is NOT MET, and the assessor documents why (32 CFR §170.24). If it’s a reconcilable discrepancy, resolve and document it before the assessment.
- How long must CMMC evidence be retained?
- Six years from the applicable CMMC Status Date (32 CFR §170.17(c)(4), with parallel provisions across §§170.15–170.18). Keep the exact version you relied on.
- Does self-assessment evidence need to be hashed?
- No. Artifact hashing is required only for C3PAO and DCMA DIBCAC assessments, not self-assessments (DoD CIO CMMC Artifact Hashing Tool User Guide, v2.14).
- Does a C3PAO keep copies of our evidence?
- Not the files. The assessment team does not take or retain your proprietary artifacts offsite; you keep the evidence package for six years. You provide the C3PAO with the artifact-name list, the hash values, and the algorithm for eMASS (32 CFR §170.17(c)(4); DoD CIO CMMC Artifact Hashing Tool User Guide, v2.14).
- Is CMMC evidence uploaded to eMASS or SPRS?
- Not the full repository. For Level 2 (C3PAO) and Level 3 (DIBCAC), 32 CFR requires submitting to CMMC eMASS the artifact names, hash return values, and hashing algorithm; assessment results then populate the applicable government records. Self-assessment results and affirmations are entered in SPRS.
- What supports a Not Applicable finding?
- Not Applicable applies when the requirement or objective doesn’t apply at the time of assessment, and it counts the same as MET for that item (32 CFR §170.24). The assessment guides identify recording the rationale as best practice.
- What if my current solicitation or contract still says Level 2 (C3PAO)?
- Rely on the contracting officer’s formal amendment or modification, not the July 13 announcement. The directive orders amendments to affected active solicitations and modifications to affected existing contracts; the instrument in your possession changes when the contracting officer changes it.
- What’s the difference between the triennial Level 2 self-assessment and the annual affirmation?
- The Level 2 (Self) assessment is performed and posted on a three-year cycle; the affirmation — the Affirming Official’s attestation of implementation and continuing compliance — is submitted at assessment and annually thereafter (32 CFR Part 170).
- What exactly is posted in SPRS for Level 1 (Self) and Level 2 (Self)?
- For Level 1 (Self): the CMMC level, the status date, the assessment scope, the relevant CAGE code(s), and the compliance result. For Level 2 (Self): those fields plus the overall Level 2 score and, where applicable, plan-of-action usage/status. Post from your current implementation, and affirm.
- Is a legacy NIST SP 800-171 score the same as a CMMC Status?
- No. A NIST SP 800-171 DoD Assessment score (Basic/Medium/High) and a CMMC Status are related but distinct. Your CMMC obligations are set by the applicable contract; a prior 800-171 score does not by itself establish a CMMC Status.
- Which DFARS assessment clause applies after Class Deviation 2026-O0025?
- For instruments using the deviation (effective February 1, 2026), the NIST SP 800-171 government-assessment clause is DFARS 252.240-7997 (Medium and High assessments); 252.204-7021 remains the CMMC clause; and codified DFARS still displays 252.204-7019 and 252.204-7020. Read your actual solicitation or contract and the deviation it invokes.
- What’s the difference between an operational plan of action and a Conditional CMMC POA&M?
- An operational plan of action (CA.L2-3.12.2; §170.24(b)(1)(ii)) is part of running your program. A Conditional CMMC POA&M (§170.21) is a specific status pathway with eligibility restrictions and a 180-day closeout requirement. Don’t treat them as interchangeable.
- Who should confirm our scope and contractual applicability?
- A CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO), and — where contract interpretation is involved — a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist.
Ready for the next step?
You came here to find out what counts as CMMC assessment evidence. You now know what counts, what fails, how much is enough, how it’s scored, how long to keep it, when it must be hashed, and what today’s Phase II suspension does and doesn’t change. If you’re staring at scattered proof and a self-assessment you have to affirm, the move is simple: map it to objectives, close the gaps, and keep it current.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.